The nearly 60-day relaxation to meet the deadline was provided to micro, small and medium-sized enterprises (MSMEs), data centers, virtual private servers (VPS) and virtual private networks (VPNs) and cloud service providers, the release said. The earlier 60-day deadline to meet cyber security standards would have ended Tuesday.
The expansion, the ministry said, comes after MSMEs, data centers, VPS, VPN and cloud service providers sought time to “build capacity” needed to implement the April 28 guidelines.
The requirement of registration and maintenance of validated names of subscribers and customers, their addresses and contact numbers by data centers, VPS, VPN and cloud service providers will remain as it is, and will take effect on September 25, the ministry said.
Earlier this month on June 10, the IT Ministry met with stakeholders including MSMEs, VPS, VPN and other cloud service providers to understand their position on the latest Cert In guidelines and to answer any queries they may have had on the subject answer.
ET reported that the IT ministry had made it clear that it had not attended on the six-hour service providers (VPN) service providers, technology companies, policy groups and other experts. deadline for reporting cyber security incidents.
However, the IT ministry then told stakeholders that it would give smaller companies and MSMEs some relaxation on a case-by-case basis after examining their application.
On April 28, Cert-In issued a set of guidelines for all companies, intermediaries, data centers and government organizations, according to which any data breach must be reported to the government within six hours after the organization became aware of it.
These guidelines also instructed VPN service providers to maintain all the information they have collected as part of know-your-customer rules and to hand it over to the government as and when requested.
On 18 May, the Ministry of Electronics and Information Technology issued a set of Frequently Asked Questions (FAQs) on the Cert-In Guidelines, clarifying certain aspects of how the six-hour standard will work, together with the details of the VPN service providers will have to hold on for five years.
Extending the compliance deadline is likely to be a blow to several companies, especially MSMEs that have said they do not have the capacity or bandwidth to comply with the Cert In standards at such short notice.
While some MSMEs and other companies have told the ministry that they will meet the standards but need time, some VPN service providers like ExpressVPN, Surfshark and NordVPN have said they will stop offering their services in India by 28 June offer.
This is the first time the ministry has softened its stance on the issue. Earlier on May 18, during a press conference to explain the general questions about Cert In guidelines, Minister of State for Information Technology Rajeev Chandrasekhar said VPN service providers who do not want to abide by the latest cyber security guidelines are “free to leave India “.